Blogs
The latest cybersecurity trends, best practices, security vulnerabilities, and more
Mitigating Security Update Risks Part 4: Testing Procedures for ePO, EDR, ENS, and HX
By Liberty Williams, Timothy Umphrey, Aaron Yarnal, Brandon West, Ron Keyston, Jacob Robinson, David Connelly and Zak Krider · August 12, 2024
A Professional Services Perspective
Trellix’s technology solutions offer customers Transparency, Choice, and Responsibility in regards to software and security content updates, as shown in Part 1, Part 2, and Part 3 of this blog series. In Part 4, we will explore specific test cases and procedures that customer administrators can use to validate the integrity and functionality of Trellix software deployed in the environments they manage.
Best Practices
Some of the test cases shown here are labor intensive and are not meant to be run against every single endpoint or server in the environment. Customer administrators should identify a small group of designated test systems, preferably in the hands of knowledgeable technical staff, where disruptions can be detected without risk of interrupting production activities. For servers, development and pre-production environments are ideal for these activities.
Product Version Updates
Prior to updating Trellix products to a new product version, determine whether application performance testing baseline metrics exist for third-party software used by the organization. Understand existing performance issues which may be a concern, and should be baselined prior to upgrading or installing Trellix products.
Items to consider measuring before and after installing or updating Trellix products include:
- Average time for system startup
- Average time for user logins
- Average CPU utilization
- Average Memory utilization
- Average Disk I/O utilization
- Critical application specific performance metrics
A note about EDR Dynamic Updates
Administrators wishing to perform canary testing of EDR updates must disable the feature “Dynamic Content Updates” and select “ePO Push Content Update” instead.
Endpoint Security 10 (ENS)
Test Cases for ENS
Test ID | Applicable to (type of change)? | Test Name | Description/Procedure | Pass? | Test Date |
ENS-001 | Daily DAT update | Canary Test | Configure a select group of machines to use the Evaluation Branch to pull their DAT updates, give them a short ASCI, and observe if they experience issues | TRUE/FALSE | |
ENS-002 | Daily DAT update | Test vs Critical Applications - Memory | Confirm you have loaded the latest DAT on a Test machine and load a selection of your critical business apps and observe Memory impact, this can be automated with third party tools | TRUE/FALSE | |
ENS-003 | Daily DAT update | Test vs Critical Applications - CPU | Confirm you have loaded the latest DAT on a Test machine and load a selection of your critical business apps and observe CPU impact, this can be automated with third party tools | TRUE/FALSE | |
ENS-004 | Daily DAT update | Test vs Critical Applications - Disk I/O | Confirm you have loaded the latest DAT on a Test machine and load a selection of your critical business apps and observe Disk I/O impact, this can be automated with third party tools | TRUE/FALSE | |
ENS-005 | Daily DAT update | EICAR test | Confirm you have loaded the latest DAT on a Test machine and attempt to access the EICAR test file (available eicar.org), success if a threat detection occurs | TRUE/FALSE | |
ENS-006 | Exploit Prevention Content | Canary Test | Configure a select group of machines to use the Evaluation Branch to pull their Exploit Prevention Content updates, give them a short ASCI, and observe if they experience issues | TRUE/FALSE | |
ENS-007 | Exploit Prevention Content | Test vs Critical Applications - Memory | Confirm you have loaded the latest Exploit Prevention Content on a Test machine and load a selection of your critical business apps and observe Memory impact, this can be automated with third party tools | TRUE/FALSE | |
ENS-008 | Exploit Prevention Content | Test vs Critical Applications - CPU | Confirm you have loaded the latest Exploit Prevention Content on a Test machine and load a selection of your critical business apps and observe CPU impact, this can be automated with third party tools | TRUE/FALSE | |
ENS-009 | Exploit Prevention Content | Test vs Critical Applications - Disk I/O | Confirm you have loaded the latest Exploit Prevention Content on a Test machine and load a selection of your critical business apps and observe Disk I/O impact, this can be automated with third party tools | TRUE/FALSE | |
ENS-010 | Exploit Prevention Content | Validate Exploit Prevention Functionality | Use your third party vulnerability management software to attempt a penetration test vs. your test machine with the latest exploit prevention content with all rules enabled | TRUE/FALSE | |
ENS-011 | Engine Updates | Canary Test | Configure a select group of machines to use the Evaluation Branch to pull their engine updates, give them a short ASCI, and observe if they experience issues | TRUE/FALSE | |
ENS-012 | Engine Updates | Test vs Critical Applications - Memory | Confirm you have loaded the latest engine on a Test machine and load a selection of your critical business apps and observe Memory impact, this can be automated with third party tools | TRUE/FALSE | |
ENS-013 | Engine Updates | Test vs Critical Applications - CPU | Confirm you have loaded the latest engine on a Test machine and load a selection of your critical business apps and observe CPU impact, this can be automated with third party tools | TRUE/FALSE | |
ENS-014 | Engine Updates | Test vs Critical Applications - Disk I/O | Confirm you have loaded the latest engine on a Test machine and load a selection of your critical business apps and observe Disk I/O impact, this can be automated with third party tools | TRUE/FALSE | |
ENS-015 | Engine Updates | EICAR test | Confirm you have loaded the latest engine on a Test machine and attempt to access the EICAR test file (available eicar.org), success if a threat detection occurs | TRUE/FALSE | |
ENS-016 | Policy Change - Enable/Change GTI Sensitivity | Canary Test | Configure a select group of machines with a policy configured to use your target GTI sensitivity, give them a short ASCI, and observe if they experience issues | TRUE/FALSE | |
ENS-017 | Policy Change - Enable/Change GTI Sensitivity | Test vs Critical Applications - Memory | Confirm you have loaded the policy configured to use your target GTI sensitivity on a Test machine and load a selection of your critical business apps and observe Memory impact, this can be automated with third party tools | TRUE/FALSE | |
ENS-018 | Policy Change - Enable/Change GTI Sensitivity | Test vs Critical Applications - CPU | Confirm you have loaded the policy configured to use your target GTI sensitivity on a Test machine and load a selection of your critical business apps and observe CPU impact, this can be automated with third party tools | TRUE/FALSE | |
ENS-019 | Policy Change - Enable/Change GTI Sensitivity | Test vs Critical Applications - Disk I/O | Confirm you have loaded the policy configured to use your target GTI sensitivity on a Test machine and load a selection of your critical business apps and observe Disk I/O impact, this can be automated with third party tools | TRUE/FALSE | |
ENS-020 | ENS Platform Upgrade | Validate Self-Protection | Attempt to stop services in Windows service manager, successful if you can't do it | TRUE/FALSE | |
ENS-021 | ENS Platform Upgrade | Validate Policy Enforcement | View ENS local management console and attempt to unlock the interface if needed. Visually confirm policies are applied as expected | TRUE/FALSE | |
ENS-022 | ENS Platform Upgrade | Validate Event Generation | Trigger a TP, AP, or ExP rule and observe if a threat event is generated | TRUE/FALSE | |
ENS-023 | ENS Platform Upgrade | Validate Event Transmission to ePO | In Trellix Agent Status Monitor, hit "Send Events" after triggering a threat event and observe if it is sent to ePO | TRUE/FALSE | |
ENS-024 | ENS Threat Prevention Upgrade | Validate AMCore DAT update manually | Choose "Update Security..." in Trellix Agent tray icon right click menu and observe the results | TRUE/FALSE | |
ENS-025 | ENS Threat Prevention Upgrade | Validate On Demand Scan functionality | Right click scan a predetermined folder on an upgraded machine and observe the results | TRUE/FALSE | |
ENS-026 | ENS Threat Prevention Upgrade | Validate On Access Scan functionality | Attempt to save an eicar.txt file with the test string from eicar.org and observe the results | TRUE/FALSE | |
ENS-027 | ENS Threat Prevention Upgrade | Validate Exploit Prevention Functionality | Use your third party vulnerability management software to attempt a penetration test vs. your Test machine with the latest exploit prevention content with all rules enabled | TRUE/FALSE | |
ENS-028 | ENS Adaptive Threat Prevention Upgrade | Validate Threat Intelligence Exchange Telemetry | Set a test exe file reputation to known malicious and attempt to execute, observe the results | TRUE/FALSE | |
ENS-029 | ENS Adaptive Threat Prevention Upgrade | Validate Dynamic Application Containment | Set a test exe file reputation to known malicious and attempt to execute, observe the results | TRUE/FALSE | |
ENS-030 | ENS Host Firewall Upgrade | Validate local firewall rules match assigned policy in ePO | Visually confirm local and ePO policies match | TRUE/FALSE | |
ENS-031 | ENS Host Firewall Upgrade | Validate blocked traffic - inbound | Attempt to reach test host from an intentionally blocked IP address | TRUE/FALSE | |
ENS-032 | ENS Host Firewall Upgrade | Validate blocked traffic - outbound | Attempt to reach an intentionally blocked IP from test host | TRUE/FALSE | |
ENS-033 | ENS Host Firewall Upgrade | Validate critical Allowed traffic - outbound | Attempt to reach critical locations such as ePO, VPN concentrators, key application servers, other critical network resources from test host | TRUE/FALSE | |
ENS-034 | ENS Host Firewall Upgrade | Validate critical allowed traffic - inbound | Verify with critical app administrators that they can reach the test host after upgrade | TRUE/FALSE | |
ENS-035 | ENS Web Control Upgrade | Validate Policy Enforcement | Visually verify local policy matches assigned policy in ePO | TRUE/FALSE | |
ENS-036 | ENS Web Control Upgrade | Validate browser plugins load | View Edge/Chrome plugins pages to confirm ENS Web Control has loaded | TRUE/FALSE | |
ENS-037 | ENS Web Control Upgrade | Validate search annotation feature | Perform a Google search and observe the presence of green checks or yellow triangles and red octagons | TRUE/FALSE | |
ENS-038 | ENS Web Control Upgrade | Validate content category block | Attempt to visit a website with a known blocked category according to your configuration | TRUE/FALSE | |
ENS-039 | ENS Web Control Upgrade | Validate risky website block | Use risky search terms to attempt to locate a risky website, click on it, and observe the block page | TRUE/FALSE | |
ENS-040 | ENS Web Control Upgrade | Validate Block List | Attempt to access a website on the explicit block list | TRUE/FALSE | |
ENS-041 | All ENS upgrades | Canary Test | Configure a select group of machines with a policy configured to receive the N-0 update, and observe if they experience issues | TRUE/FALSE | |
ENS-042 | All ENS upgrades | Test vs Critical Applications - Memory | Confirm you have loaded the N-0 version on a Test machine and load a selection of your critical business apps and observe Memory impact, this can be automated with third party tools | TRUE/FALSE | |
ENS-043 | All ENS upgrades | Test vs Critical Applications - CPU | Confirm you have loaded the N-0 version on a Test machine and load a selection of your critical business apps and observe CPU impact, this can be automated with third party tools | TRUE/FALSE | |
ENS-044 | All ENS upgrades | Test vs Critical Applications - Disk I/O | Confirm you have loaded the N-0 version on a Test machine and load a selection of your critical business apps and observe Disk I/O impact, this can be automated with third party tools | TRUE/FALSE | |
ENS-045 | All ENS upgrades | EICAR test | Confirm you have loaded the N-0 version on a Test machine and attempt to access the EICAR test file (available eicar.org), success if a threat detection occurs | TRUE/FALSE |
Endpoint Detection and Response (EDR)
Test Cases for Endpoint Detection and Response (EDR)
Test ID | Applicable to (type of change)? | Test Name | Description/Procedure | Passed? | Test Date |
EDR-001 | EDR Agent Upgrade | Validate agent version (client) | Verify in Trellix Agent 'About' page | TRUE/FALSE | |
EDR-002 | EDR Agent Upgrade | Validate agent version (ePO) | Check system record in ePO System tree and verify EDR version | TRUE/FALSE | |
EDR-003 | EDR Agent Upgrade | Canary Test | Deploy update to selected canary testers and observe the results | TRUE/FALSE | |
EDR-004 | EDR Agent Upgrade | Check Realtime Update status | Run Real Time Search HostInfo hostname where hostname is your canary tester(s) | TRUE/FALSE | |
EDR-005 | EDR Agent Upgrade | Check Device Search | Open Device Search and enter hostname of canary tester to validate artifacts are captured | TRUE/FALSE | |
EDR-006 | EDR Agent Upgrade | EICAR Test | Attempt to write the EICAR file to the disk on your canary tester | TRUE/FALSE | |
EDR-007 | EDR Agent Upgrade | Quarantine Host | Quarantine a canary tester, validate that the endpoint is quarantined (cannot communicate except to security tools) | TRUE/FALSE | |
EDR-008 | EDR Agent Upgrade | Un-Quarantine Host | Attempt to unquarantine your quarantined host, successful if they can go to google | TRUE/FALSE | |
EDR-009 | EDR Agent Upgrade | Test vs Critical Applications - Memory | Designate test hosts with critical apps installed and measure memory usage vs. baseline for 1 hour after deployment, while validating critical app functionality. May be automated. | TRUE/FALSE | |
EDR-010 | EDR Agent Upgrade | Test vs Critical Applications - CPU | Designate test hosts with critical apps installed and measure CPU usage vs baseline for 1 hour after deployment, while validating critical app functionality. May be automated. | TRUE/FALSE | |
EDR-011 | EDR Agent Upgrade | Test vs Critical Applications - Disk I/O | Designate test hosts with critical apps installed and measure Disk I/O usage vs baseline for 1 hour after deployment, while validating critical app functionality. May be automated. | TRUE/FALSE | |
EDR-012 | EDR Content Update | Canary Test | Configure a select group of machines to use the Evaluation Branch to pull their EDR Content updates, give them a short ASCI, and observe if they experience issues | TRUE/FALSE | |
EDR-013 | EDR Content Update | Test vs Critical Applications - Memory | Confirm you have loaded the latest EDR Content on a Test machine and load a selection of your critical business apps and observe Memory impact, this can be automated with third party tools | TRUE/FALSE | |
EDR-014 | EDR Content Update | Test vs Critical Applications - CPU | Confirm you have loaded the latest EDR Content on a Test machine and load a selection of your critical business apps and observe CPU impact, this can be automated with third party tools | TRUE/FALSE | |
EDR-015 | EDR Content Update | Test vs Critical Applications - Disk I/O | Confirm you have loaded the latest EDR Content on a Test machine and load a selection of your critical business apps and observe Disk I/O impact, this can be automated with third party tools | FALSE | |
EDR-016 | EDR Content Update | EICAR test | Confirm you have loaded the latest EDR Content on a Test machine and attempt to access the EICAR test file (available eicar.org), success if a threat detection occurs | FALSE |
Trellix Agent
Test Cases for Trellix Agent
Test ID | Applicable to (type of change)? | Test Name | Description/Procedure | Pass? | Test Date |
TA-01 | Update Product Extension | Validate Running Status | Wait 5 minutes and check that Extensions page for product shows all extensions in "Running" status | TRUE/FALSE | |
TA-02 | Update Product Extension | Validate Existing Policy | Take screenshots before the update and visually validate that the policies match after the update | TRUE/FALSE | |
TA-03 | Update Product Extension | Test modifying policy | Duplicate and modify an existing policy, successful if you can save the policy with modifications | TRUE/FALSE | |
TA-04 | Update Product Extension | Test modifying policy assignment in system tree | Modify the policy assignment for a single system, successful if you can save the policy assignment | TRUE/FALSE | |
TA-05 | Update Product Extension | Test updated policy application to endpoint system | Observe the Trellix Agent Status Monitor on the system with a modified policy, successful if the new policy is provided | TRUE/FALSE | |
TA-06 | Update Product Extension | Validate Policy Assignment Status reporting | Observe the System Tree entry for the system with a modified policy, successful if applied policy shows "Up to Date" and shows correct policy name | TRUE/FALSE | |
TA-07 | Update Product Extension | Validate event collection | Trigger an event on the system with the modified policy and select "Send Events" in Trellix Agent Status monitor, observe if the event shows in the system tree entry for the system | TRUE/FALSE | |
TA-08 | Update Product Extension | Validate Definitions Update retrieval | Remove the latest update from the Evaluation branch and re-run the daily update task to force a poll of Trellix update servers. Successful if the same or newer version of the content file is placed in the Eval branch | TRUE/FALSE | |
TA-09 | Update Product Extension | Validate Dashboards still functional | Wait 5 minutes and check each dashboard that includes a query managed by the updated extension, success if none of the queries say "invalid state" or similar | TRUE/FALSE | |
TA-10 | Update Product Extension | Validate Custom Queries | Wait 5 minutes and check each custom query group, success if none of the queries say "invalid state" or similar | TRUE/FALSE | |
TA-11 | Update Product Extension | Validate ePO Performance Impact | Wait 5 minutes and observe average system utilization over 1 hour vs baseline (Use your performance counter software) | TRUE/FALSE | |
TA-12 | Update Product Extension | Validate Database Performance Impact | Wait 5 minutes and observe average system utilization over 1 hour vs baseline (Use your performance counter software) | TRUE/FALSE | |
TA-13 | New Trellix Agent version | Canary Test | Configure a select group of machines with a policy configured to receive the N-0 update, and observe if they experience issues | TRUE/FALSE | |
TA-14 | New Trellix Agent version | Validate Product Deployment Task | Attempt to perform a product update of a 2nd package via a client task and observe the result | TRUE/FALSE | |
TA-15 | New Trellix Agent version | Validate Manual Update communication | Select "Update Now" or "Update Security" and observe the communication | TRUE/FALSE | |
TA-16 | New Trellix Agent version | Validate Msg Bus | On a managed system, observe EndpointSecurityPlatform_Errors.log C:\ProgramData\McAfee\Endpoint Security\Logs | TRUE/FALSE | |
TA-17 | New Trellix Agent version | Validate Msg Bus | MessageBus Version check via ePO: System Tree > Select system > Trellix Agent Tab > Click "More" > Observe value of "MessageBus Cert Version." | TRUE/FALSE | |
TA-18 | New Trellix Agent version | Validate DXL connection | Select a machine in system tree and perform actions menu "Look up in DXL" and observe the results | TRUE/FALSE | |
TA-19 | New Trellix Agent version | Validate Trellix Agent Policy assignment | In System tree, view machine record and verify Trellix Agent policy settings "Up to date" | TRUE/FALSE |
ePolicy Orchestrator
Test Cases for ePolicy Orchestrator
Test ID | Applicable to (type of change)? | Test Name | Description/Procedure | Pass? | Test Date |
ePO-1 | Update Product Extension | Validate Running Status | Wait 5 minutes and check that Extensions page for product shows all extensions in "Running" status | TRUE/FALSE | |
ePO-2 | Update Product Extension | Validate Existing Policy | Take screenshots before the update and visually validate that the policies match after the update | TRUE/FALSE | |
ePO-3 | Update Product Extension | Test modifying policy | Duplicate and modify an existing policy, successful if you can save the policy with modifications | TRUE/FALSE | |
ePO-4 | Update Product Extension | Test modifying policy assignment in system tree | Modify the policy assignment for a single system, successful if you can save the policy assignment | TRUE/FALSE | |
ePO-5 | Update Product Extension | Test updated policy application to endpoint system | Observe the Trellix Agent Status Monitor on the system with a modified policy, successful if the new policy is provided | TRUE/FALSE | |
ePO-6 | Update Product Extension | Validate Policy Assignment Status reporting | Observe the System Tree entry for the system with a modified policy, successful if applied policy shows "Up to Date" and shows correct policy name | TRUE/FALSE | |
ePO-7 | Update Product Extension | Validate event collection | Trigger an event on the system with the modified policy and select "Send Events" in Trellix Agent Status monitor, observe if the event shows in the system tree entry for the system | TRUE/FALSE | |
ePO-8 | Update Product Extension | Validate Definitions Update retrieval | Remove the latest update from the Evaluation branch and re-run the daily update task to force a poll of Trellix update servers. Successful if the same or newer version of the content file is placed in the Eval branch | TRUE/FALSE | |
ePO-9 | Update Product Extension | Validate Dashboards still functional | Wait 5 minutes and check each dashboard that includes a query managed by the updated extension, success if none of the queries say "invalid state" or similar | TRUE/FALSE | |
ePO-10 | Update Product Extension | Validate Custom Queries | Wait 5 minutes and check each custom query group, success if none of the queries say "invalid state" or similar | TRUE/FALSE | |
ePO-11 | Update Product Extension | Validate ePO Performance Impact | Wait 5 minutes and observe average system utilization over 1 hour vs. baseline (Use your performance counter software) | TRUE/FALSE | |
ePO-12 | Update Product Extension | Validate Database Performance Impact | Wait 5 minutes and observe average system utilization over 1 hour vs. baseline (Use your performance counter software) | TRUE/FALSE | |
ePO-13 | Add Package to Main Repo | Validate Branch Placement | Visually confirm that the package was placed in the correct branch (Evaluation, Current, or Previous) | TRUE/FALSE | |
ePO-14 | Add Package to Main Repo | Test Replication | Perform Replication, then validate by checking packages are up to date in each repository | TRUE/FALSE | |
ePO-15 | Add Package to Main Repo | Validate existing client tasks | Check existing client tasks that reference older versions of the package to ensure they are not left in a broken state | TRUE/FALSE | |
ePO-16 | Add Package to Main Repo | Test Deployment | Create a client task using the package, then command an early tester to run it. Observe on the endpoint if it is able to download and install | TRUE/FALSE |
Endpoint Security xAgent (HX)
Test Cases for Endpoint Security xAgent (HX)
Test ID | Applicable to (type of change)? | Test Name | Description/Procedure | Pass? | Test Date |
TEFx-001 | Appliance Operating System Update | Validate new system version | Ensure the system restores post reboot, log in to webUI, use terminal cmd "Show Version" | TRUE/FALSE | |
TEFx-002 | Appliance Operating System Update | Validate xAgent Communication | Check Host Management tab for check-in status "Online" | TRUE/FALSE | |
TEFx-003 | Appliance Operating System Update | Validate xAgent Acquisitions | Attempt to perform an agent diagnostics acquisition, validate that the diagnostics look normal | TRUE/FALSE | |
TEFx-004 | Appliance Operating System Update | Validate running appliance processes | SSH into the device and run “show pm process” and verify status | TRUE/FALSE | |
TEFx-005 | Appliance Operating System Update | Validate Host Sets | Visually confirm your host sets are still present and configured as expected | TRUE/FALSE | |
TEFx-006 | Appliance Operating System Update | Validate Policy settings | Visually confirm your policies are still present and configured as expected, take screenshots prior to update | TRUE/FALSE | |
TEFx-007 | Upgrade of Agent Version | Validate new xAgent version available | Validate agent version in Endpoint Forensics Console. Ensure the host shows online in host management | TRUE/FALSE | |
TEFx-008 | Upgrade of Agent Version | Canary Test | Create host group set to use N-0 xAgent version and observe if they experience issues | TRUE/FALSE | |
TEFx-009 | Upgrade of Agent Version | Validate xAgent Install | Check the version in Properties -> Details on C:\ProgramData\FireEye\Drivers\wfp_x64\fekern.sys, should match the major version of xAgent | TRUE/FALSE | |
TEFx-010 | Upgrade of Agent Version | Validate xAgent Online Status | Check in the Host Management tab | TRUE/FALSE | |
TEFx-011 | Upgrade of Agent Version | Validate xAgent Content Versions | Check in the Host Management tab | TRUE/FALSE | |
TEFx-012 | Upgrade of Agent Version | Validate xAgent Acquisitions | Attempt to perform an agent diagnostics acquisition, validate that the diagnostics look normal | TRUE/FALSE | |
TEFx-013 | Upgrade of Agent Version | Test Exploit Guard | Run EG Samples on host endpoint, wait for alert to trigger in Endpoint Forensics Console | TRUE/FALSE | |
TEFx-014 | Upgrade of Agent Version | Test Malware Protection | Download an EICAR file, wait for alert to trigger in Endpoint Forensics Console | TRUE/FALSE | |
TEFx-015 | Upgrade of Agent Version | Test Real-Time IOC Detection | Create a file with test conditions matching IOC rules for specific Operating Systems (windows is running feqatest.exe, for example) | TRUE/FALSE | |
TEFx-016 | Upgrade of Agent Version | Test Module usage | Once the module is installed, you will need to enable it and validate specific functionality on the endpoint (each module is unique) | TRUE/FALSE | |
TEFx-017 | Upgrade of Agent Version | Test vs Critical Applications - Memory | Designate test hosts with critical apps installed and measure memory usage vs baseline for 1 hour after deployment, while validating critical app functionality. May be automated. | TRUE/FALSE | |
TEFx-018 | Upgrade of Agent Version | Test vs Critical Applications - CPU | Designate test hosts with critical apps installed and measure CPU usage vs baseline for 1 hour after deployment, while validating critical app functionality. May be automated. | TRUE/FALSE | |
TEFx-019 | Upgrade of Agent Version | Test vs Critical Applications - Disk I/O | Designate test hosts with critical apps installed and measure Disk I/O usage vs baseline for 1 hour after deployment, while validating critical app functionality. May be automated. | TRUE/FALSE | |
TEFx-020 | Daily Security Content Updates | Canary Test | Create host group set to use N-0 content update version and observe if they experience issues | TRUE/FALSE | |
TEFx-021 | Daily Security Content Updates | Validate Content Update Deployment | Check Host Management tab for content version updated to N-0 version number | TRUE/FALSE | |
TEFx-022 | Daily Security Content Updates | Test Malware Protection | Download an EICAR file, wait for alert to trigger in Endpoint Forensics Console | TRUE/FALSE | |
TEFx-023 | Daily Security Content Updates | Test Real-Time IOC Detection | Create a file with test conditions matching IOC rules for specific Operating Systems (windows is running feqatest.exe, for example) | TRUE/FALSE | |
TEFx-024 | Daily Security Content Updates | Test vs Critical Applications - Memory | Designate test hosts with critical apps installed and measure memory usage vs baseline for 1 hour after deployment, while validating critical app functionality. May be automated. | TRUE/FALSE | |
TEFx-025 | Daily Security Content Updates | Test vs Critical Applications - CPU | Designate test hosts with critical apps installed and measure CPU usage vs baseline for 1 hour after deployment, while validating critical app functionality. May be automated. | TRUE/FALSE | |
TEFx-026 | Daily Security Content Updates | Test vs Critical Applications - Disk I/O | Designate test hosts with critical apps installed and measure Disk I/O usage vs baseline for 1 hour after deployment, while validating critical app functionality. May be automated. | TRUE/FALSE |
Conclusion
While incidents like the July 19, 2024 CrowdStrike outage are disruptive, Trellix offers customers Transparency, Choice, and Responsibility in our software and content update processes. This enables customers to exercise due diligence and consistent testing in their environments, which can dramatically limit impacts and reduce the risks to your organization. If your organization needs help putting in that effort, consider Trellix Professional Services. We offer various strategic and technical services that can help your team test, automate, operate, and govern your cyber defenses. Contact your Trellix account manager, or if you haven’t got one yet, let us know you’re interested. Tell them you want fully tested software and security content updates to get the ball rolling!
Continue reading the series: Part 1 (Intro), Part 2 (Product Features ePO, EDR, and ENS), Part 3 (Product Features Endpoint Forensics), and Part 4 (Testing Procedures for ePO, EDR, ENS, and HX).
Make sure you read this disclaimer after all that recommendations goodness:
This document may contain information on Trellix products, services, and/or processes in development. All information provided here is subject to change without notice at Trellix’s sole discretion. Contact your Trellix representative for the latest forecast, schedule, specifications, and roadmaps.
RECENT NEWS
-
Dec 2, 2024
Trellix Achieves the AWS Generative AI Competency
-
Nov 21, 2024
Trellix Positioned as a Leader in the 2024 SPARK Matrix™ for Network Detection and Response by QKS Group
-
Nov 20, 2024
Trellix Uncovers Diversification of Ransomware Ecosystem as Cybercriminal Use of AI Expands
-
Nov 7, 2024
Trellix Achieves FedRAMP® High Authorization to Protect U.S. Government from Growing Cyber Threats
-
Oct 15, 2024
Trellix Finds Nearly Half of CISOs to Exit the Role Without Industry Action
RECENT STORIES
Latest from our newsroom
Get the latest
Stay up to date with the latest cybersecurity trends, best practices, security vulnerabilities, and so much more.
Zero spam. Unsubscribe at any time.